On Tue, May 19, 2026 at 12:44 AM Denis Sergeev <[email protected]> wrote:
> The return value of tfc_em_delete_raw() in tfc_em_delete() was
> silently discarded: rc was unconditionally overwritten by the
> subsequent tfc_cpm_get_cmm_inst() call without any error check.
>
> If tfc_em_delete_raw() fails, the HW EM entry is not removed but
> the function continues to free the corresponding SW pool entry,
> creating a HW/SW state inconsistency that can lead to stale flow
> matches or incorrect pool slot reuse.
>
> Add an error check after the call and return -EINVAL on failure.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 80317ff6adfd ("net/bnxt/tf_core: support Thor2")
> Cc: [email protected]
>
> Signed-off-by: Denis Sergeev <[email protected]>
> ---
> drivers/net/bnxt/tf_core/v3/tfc_em.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/bnxt/tf_core/v3/tfc_em.c
> b/drivers/net/bnxt/tf_core/v3/tfc_em.c
> index 3fe4dbe3fe..4c126dc2f4 100644
> --- a/drivers/net/bnxt/tf_core/v3/tfc_em.c
> +++ b/drivers/net/bnxt/tf_core/v3/tfc_em.c
> @@ -661,6 +661,11 @@ int tfc_em_delete(struct tfc *tfcp, struct
> tfc_em_delete_parms *parms)
> &db_offset
> #endif
> );
> + if (rc != 0) {
> + PMD_DRV_LOG_LINE(ERR, "tfc_em_delete_raw() failed: %s",
> + strerror(-rc));
> + return -EINVAL;
> + }
>
> record_offset = REMOVE_POOL_FROM_OFFSET(pi.lkup_pool_sz_exp,
> record_offset);
>
This change is not required, even if deletion of the HW entry fails, it
should continue to delete the SW state, since at the end all the HW entries
are invalidated. Have you been able to reproduce a scenario where this
failure is seen.
> --
> 2.50.1
>
>
smime.p7s
Description: S/MIME Cryptographic Signature
